The Media Access Control (MAC) address uniquely identifies each node in a network. It takes the form of six pairs of hexadecimal digits (0 to 9 and the letters A to F) that are separated by colons or dashes, and usually appears like this: 00:50:56:C0:00:01.
The MAC address is usually associated with a network adapter or a device with networking capability; for this reason, it's frequently called the physical address.
The first three pairs of digits in the MAC address are called the Organizational Unique Identifier, and they serve to identify the company that manufactured or sold the device. The last three pairs of digits are specific to the device and can be considered to be a serial number.
Because a MAC address is unique, it can be used to associate a user to a particular network, especially a wireless network. This has two significant implications—it can be used to identify a hacker or a legitimate network tester who has tried to access a network, and it can be used as a means of authenticating individuals and granting them access to a network.
During penetration testing, the tester may prefer to appear anonymous to a network. One way to support this anonymous profile is to change the MAC address of the attacking system.
This can be done manually using the ifconfig command. To determine the existing MAC address, run the following from a command shell:
root@kali:~# ifconfig wlan0 down root@kali:~# ifconfig wlan0 | grep HW
To manually change the IP address, use the following commands:
root@kali:~# ifconfig wlan0 hw ether 38:33:15:xx:xx:xx root@kali:~# ifconfig wlan0 up
Substitute different hexadecimal pairs for the xx expressions. This command will allow us to change the attacking system's MAC address to one that is used and accepted by the victim network. The attacker must ensure that the MAC address is not already in use on the network, or the repeated MAC address may trigger an alarm if the network is being monitored.
Kali also permits the use of an automated tool, macchanger. To change the attacker's MAC address to a MAC address of a product produced by the same vendor, use the following macchanger command from a Terminal window:
root@kali:~# macchanger wlan0 -e
To change the existing MAC address to a completely random MAC address, use the following command. You should be able to see the macchanger tool, as shown in the following screenshot:
root@kali:~# macchanger wlan0 -r
The following screenshot provides the new MAC address assigned for our wireless adapter:
Some attackers use automated scripts to change their MAC addresses on a frequent basis during testing to anonymize their activities.
Many organizations, particularly large academic groups, such as colleges and universities, use MAC address filtering to control who can access their wireless network resources. MAC address filtering uses the unique MAC address on the network card to control access to network resources; in a typical configuration, the organization maintains a whitelist of the MAC addresses that are permitted to access the network. If an incoming MAC address is not on the approved access list, it is restricted from connecting to the network.
Unfortunately, MAC address information is transmitted in the clear text. An attacker can use airodump to collect a list of accepted MAC addresses and then manually change their MAC address to one of the addresses that is accepted by the target network. Therefore, this type of filtering provides almost no real protection to a wireless network.
The next level of wireless network protection is provided using encryption.